Description of problem: The "traceLevel" and "traceComponents" cimconfig options control tracing for both the cimserver and cimprovagt processes. A Provider Agent Process writes its trace output to a file, in the /var/lib/Pegasus/cache/trace directory, whose name contains the associated provider module name. To ensure uniqueness (and avoid collisions in writing to the trace files), a user name is also appended to the trace file name. For example, the Provider Agent Process for the OperatingSystemModule in the context of user "A" writes to the trace file "cimserver.trc.OperatingSystemModule.A". By default, only root has access to the /var/lib/Pegasus, /var/lib/Pegasus/cache/ and /var/lib/Pegasus/cache/trace directories. # chmod 777 Pegasus # chmod 777 Pegasus/cache # chmod 777 Pegasus/cache/trace Note: Permissions on trace files allow read and write access to only the owner. E.g., -rw------- 1 root root 66550 May 6 15:03 cimserver.trc -rw------- 1 guest pegasus 6921 May 6 15:03 cimserver.trc.OperatingSystemModule.guest -rw------- 1 root root 866 May 6 15:03 cimserver.trc.OperatingSystemModule.root Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Configure OS Provider to Run-As-Requestor 2. Enable tracing 2A. # cimconfig -s traceLevel=4 2B. # cimconfig -s traceComponents=ALL Actual results: Expected results: Additional info:
OK, the next version will enable mode 0770 for /var/lib/Pegasus/cache/trace . I don't think users not in the pegasus group need write / seach access to /var/lib/Pegasus/cache/trace - users must be in the pegasus group in order to connect to the cimserver, so I think mode 0770 should be sufficient, not 0777. I do not think we want to enable mode 0770 for /var/lib/Pegasus/cache, else any user could delete the /var/lib/Pegasus/cache/localauth directory, thus disabling local authentication.
Sounds good. If the administrator configures OpenPegasus to allow access by non-pegasus group users, they'll also need to change permissions on these directories to ... # chmod 755 Pegasus # chmod 755 Pegasus/cache # chmod 777 Pegasus/cache/trace but we can document this. Thanks!
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0474.html